Cooperation method and system of hardware secure units, and application device

ABSTRACT

The present invention provides a cooperation method of a mobile hardware secure unit and a fixed hardware secure unit, comprising: providing user&#39;s identification information of a mobile hardware secure unit; providing platform&#39;s identification information of a computer-based or other-device-based fixed hardware secure unit; establishing a bidirectional communication pipe between the mobile and fixed hardware secure unit; and binding the mobile and fixed hardware secure units through interaction of the user&#39;s identification information and the platform&#39;s identification information. The present invention further provides a cooperation system of a mobile hardware secure unit and a fixed hardware secure unit as well as a computer device, with which the security solution based on a fixed hardware secure unit can be combined with a mobile hardware secure unit securing a user&#39;s identity.

BACKGROUND OF THE INVENTION

1. Field of Invention

The present invention relates to a hardware secure system, and inparticular to cooperation method and system of fixed and mobile hardwaresecure units as well as a computer device using the fixed hardwaresecure unit.

2. Description of Prior Art

Current computers and other devices are each provided with an internalsecure chip to guarantee their own security. For the secure chip, aplatform certificate is loaded for providing platform identification tothe outside. When a computer or other device communicates with a thirdparty device, the platform certificate inside the secure chip canprovide the third party device with the identification of the computeror other device.

The existing hardware secure chip solution based on computer or otherdevice can guarantee security for the platform. Unfortunately, since thesecure chip is fixed on the PC or other device and difficult to move,the hardware secure chip solution based on computer or other device canonly be implemented by a designated machine, causing inconvenience inmobile use by a user.

For the conventional USB Keys and smart cards, their certificates andkeys are placed within their own secure chips, each of which acts as ablack box for providing functions of identity authentication andcryptography to the outside. The USB Key and smart card are used as auser's ID in a typical online bank application. In the USB Key, there isa secure chip which requires authentication from a bank or a server. Anelectronic certificate issued by the service is loaded safely to the USBKey, and the electronic certificate contains a key used in signature. Atthe stage of connecting to the bank or the service, the USB Key user'sidentity must be verified by means of password or any otherauthentication practice like finger print, to gain the right to use thekey. When the user submits to the server his or her data such as“transfer XX dollars to XX account”, the information must be signed withthe electronic certificate of the USB Key, as an important evidence inconfirming the user's operation. Meanwhile, the secure chip within theUSB Key can also generate a user key. Data encrypted with the user keycan be decrypted only with the key authorized by the user.

Two defects exist in the current solution of USB Key or smart cardidentifying a user.

-   1. The USB Key or smart card solution is responsible for only the    user's identity other than security of the overall operating    environment. Inherently, the solution cannot avoid or prevent a    hacker program running in the computer from stealing the password of    the USB Key or smart card. The user's identity cannot be secured    after the USB Key or smart card is lost or the password is stolen.-   2. The USB Key or smart card solution generally uses a password of    several enterable characters to verify the user's identity. This is    the weakest security factor in the overall secure system and    susceptible to some violent attack.

SUMMARY OF THE INVENTION

The object of the present invention is to provide cooperation method andsystem of fixed and mobile hardware secure units, with which thesecurity solution based on a fixed hardware secure unit can be combinedwith a mobile hardware secure unit securing a user's identity.

The present invention provides a cooperation method of a mobile hardwaresecure unit and a fixed hardware secure unit, comprising:

-   providing user's identification information of a mobile hardware    secure unit;-   providing platform's identification information of a computer-based    or other-device-based fixed hardware secure unit;-   establishing a bidirectional communication pipe between the mobile    and fixed hardware secure unit; and-   binding the mobile and fixed hardware secure units through    interaction of the user's identification information and the    platform's identification information.

Preferably, the bidirectional communication pipe is established betweenthe mobile and fixed hardware secure units by means of key negotiationor public key exchange.

Preferably, the bi-directional communication pipe is updated orabolished by the mobile and/or fixed hardware secure units.

Preferably, the interaction of unique identification informationcomprises:

-   sending the user's identification information of the mobile hardware    secure unit to the fixed hardware secure unit which in turn    recognizes and records the user's identification information;-   sending the platform's identification information of the fixed    hardware secure unit to the mobile hardware secure unit which in    turn recognizes and records the platform's identification    information.

Preferably, the interaction of unique identification information isperformed after the user's identification information of the mobilehardware secure unit and/or the platform's identification information ofthe fixed hardware secure unit undergoes cryptography processing.

Preferably, the mobile and fixed hardware secure units perform asecondary encryption on information to be transmitted.

Preferably, the mobile and fixed hardware secure units perform theirsecondary encryption on plaintext to be transmitted;

-   the mobile and fixed hardware secure units perform their secondary    signing on the signature which represents identity information and    is to be transmitted.

Preferably, after the step of binding, the method further comprises:

-   registering by each of the mobile and fixed hardware secure units to    a server, which confirms the binding relationship between the mobile    and fixed hardware secure units.

Preferably, the registration of the mobile and fixed hardware secureunits to the server comprises:

-   the mobile hardware secure unit packing information to be registered    with the server and transmitting it to the fixed hardware secure    unit;-   the fixed hardware secure unit packing its own registration    information together with the packed registration information of the    mobile hardware secure unit, and transmitting the packed information    to the server.

Preferably, the registration of the mobile and fixed hardware secureunits to the server comprises:

-   the mobile hardware secure unit packing information to be registered    with the server and transmitting it to the server;-   the fixed hardware secure unit packing its own registration    information and the user's identification information of the mobile    hardware secure unit together and transmitting the packed    information to the server.

Preferably, while sending a service request to the server, the mobileand fixed hardware secure units signs together under the bindingrelationship to present the platform's identity and the user's identityat the same time.

Preferably, the mobile and fixed hardware secure units perform asecondary encryption on content to be sent to the server.

The present invention provides a cooperation system of a mobile hardwaresecure unit and a fixed hardware secure unit, comprising a mobilehardware secure unit, a fixed hardware secure unit, a communication pipeestablishment unit and a binding unit, wherein

-   the mobile hardware secure unit is used for representing a user's    identity;-   the fixed hardware secure unit is computer-based or    other-device-based and for representing a platform's identity;-   the communication pipe establishment unit is used for establishing a    bidirectional communication pipe between the mobile and fixed    hardware secure unit; and-   the binding unit is used for binding the mobile and fixed hardware    secure units together through interaction of unique identification    information.

Preferably, the cooperation system further comprises a condition settingunit and/or an update unit and/or an abolishment unit,

-   wherein the condition setting unit is used for setting a condition    for updating or abolishing the bidirectional communication pipe;-   the update unit is used for updating the bidirectional communication    pipe or updating the bidirectional communication pipe according to    the condition set by the condition setting unit;-   the abolishment unit is used for abolishing the bidirectional    communication pipe or abolishing the bidirectional communication    pipe according to the condition set by the condition setting unit.

Preferably, the cooperation system further comprises a processing unitfor performing cryptography processing on the unique identificationinformation of the mobile hardware secure unit and/or the uniqueidentification information of the fixed hardware secure unit.

The present invention provides a computer device comprising a fixedhardware secure unit firmed inside, the fixed hardware secure unit isloaded with a platform certificate for representing a platform'sidentity, wherein

-   a bidirectional communication pipe is established between the fixed    hardware secure unit and a mobile hardware secure unit representing    a user's identity;-   the mobile and fixed hardware secure units are bound together    through interaction of unique identification information.

Preferably, the computer device further comprises a condition settingunit and/or an update unit and/or an abolishment unit,

-   wherein the condition setting unit is used for setting a condition    for updating or abolishing the bidirectional communication pipe;-   the update unit is used for updating the bidirectional communication    pipe or updating the bidirectional communication pipe according to    the condition set by the condition setting unit;-   the abolishment unit is used for abolishing the bidirectional    communication pipe or abolishing the bidirectional communication    pipe according to the condition set by the condition setting unit.

Preferably, the computer device further comprises a processing unit forperforming cryptography processing on the unique identificationinformation of the mobile hardware secure unit and/or the uniqueidentification information of the fixed hardware secure unit.

In the cooperation method of the mobile and fixed hardware secure unitsof the above embodiment, a communication pipe is established between themobile and fixed hardware secure units to enable secure filetransmission between the mobile and fixed hardware secure units. Also,the mobile and fixed hardware secure units are bound with each other,and if data is sent to a third party after the binding of the mobile andfixed hardware secure units, the data can be obtained only after boththe mobile and fixed hardware secure units performs decryption. In thisway, the cooperation method of the above embodiment solves the problemin the prior art that the fixed hardware secure unit based on computeror other device cannot be moved easily and some machine must bespecified, causing inconvenience in mobile usage. Further, in thecooperation method, the security solution based on a fixed hardwaresecure unit can be combined with a mobile hardware secure unit securinga user's identity, thereby improving security of data transmission.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart of the first embodiment of the cooperation methodin the present invention;

FIG. 2 is a schematic block diagram of the communication pipe in thepresent invention;

FIG. 3 is a flowchart of the second embodiment of the cooperation methodin the present invention;

FIG. 4 is a flowchart of the first embodiment of the cooperation systemin the present invention; and

FIG. 5 is a flowchart of the second embodiment of the cooperation systemin the present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The present invention provides a method of cooperation between fixed andmobile hardware secure units, with which the security solution based ona fixed hardware secure unit can be combined with a mobile hardwaresecure unit securing a user's identity.

Referring to FIG. 1, a flowchart of the first embodiment of thecooperation method in the present invention is shown.

The first embodiment of the cooperation method in the present inventioncomprises the following steps.

S100, provide a mobile hardware secure unit representing a user'sidentity.

The mobile hardware secure unit can be an identification secure chip inUSB Key or a smart card with identity authorized by a server.

In the USB Key or the smart card, there is an identification (ID) securechip which can be authenticated by the server through the followingprocess: the identification secure chip downloads an electroniccertificate which is issued by the server and contains a key used insignature; the user's identity is verified by means of password or anyother authentication practice like finger print so that the user cangain the right to use the key.

When the user submits to the server his or her data, the data must besigned with the electronic certificate, and the signature acts as animportant evidence for confirming the user's operation.

The Identification secure chip can be used as the mobile hardware secureunit.

The Identification secure chip within the USB Key can generate a userkey. Data encrypted with the user key can be decrypted only with the keyauthorized by the user.

S200, provide a computer-based or other-device-based fixed hardwaresecure unit representing the identity of the platform.

A platform Identification secure chip is provided within the computer orother device. The platform Identification secure chip is loaded with aplatform certificate and responsible for providing the ID of theplatform to the outside. The platform Identification secure chip can beused as the fixed hardware secure unit.

S300, the mobile and fixed hardware secure units create a bi-directionalcommunication pipe.

The mobile and fixed hardware secure units can create the bi-directionalcommunication pipe by means of public key exchange.

So-called public key exchange is giving the public key Ka of the fixedhardware secure unit to the mobile hardware secure unit, giving thepublic key Kb of the mobile hardware secure unit to the fixed hardwaresecure unit, and the mobile and fixed hardware secure units each holdtheir own private keys Ka′, Kb′.

Referring to FIG. 2, a schematic block diagram of the communication pipein the present invention is shown. The establishing procedure is the“public key exchange” process.

The fixed hardware secure unit encrypts plaintext M to be transmittedwith its public key Ka to generate cryptograph C. Then, the fixedhardware secure unit transmits the cryptograph C to the mobile hardwaresecure unit, which decrypts the cryptograph C with its private key Kb′to obtain the plaintext M. As such, a unidirectional communication pipefrom the fixed hardware secure unit to the mobile hardware secure unitis established.

The mobile hardware secure unit encrypts plaintext M to be transmittedwith its public key Ka to generate cryptograph C. Then, the mobilehardware secure unit transmits the cryptograph C to the fixed hardwaresecure unit, which decrypts the cryptograph C with its private key Ka′to obtain the plaintext M. As such, a unidirectional communication pipefrom the mobile hardware secure unit to the fixed hardware secure unitis established

Then, the unidirectional communication pipe from the fixed hardwaresecure unit to the mobile hardware secure unit and the unidirectionalcommunication pipe from the mobile hardware secure unit to the fixedhardware secure unit collectively form the bidirectional communicationpipe between the fixed and mobile hardware secure units.

The above establishment of the bidirectional communication pipe isperformed by exchanging public keys between the mobile and fixedhardware secure units.

The mobile and fixed hardware secure units can also establish thebidirectional communication pipe by means of key negotiation.

In an insecure environment, a key system is usually adopted to encryptinformation to be transmitted for meeting requirements of security andintegrity. Also, a corresponding decryption key is required at theinformation receipt side for decrypting the encrypted information.

The conventional key system is called single key system, which ischaracterized in that the encryption and decryption keys can mutuallyderive the sender and recipient of information.

In such single key system, a member can encrypt information with ashared key and deliver the encrypted information to another member.Unfortunately, a key session is difficult to establish between themembers if they are far away from each other.

There are two approaches to establish a key session, namely, keydistribution and key negotiation.

Key distribution is a mechanism by which a member can choose to delivera key to another member in a secured manner.

Key negotiation requires the members participating in a session to setup a public key together. In a network environment, key negotiation ismore advantage than key distribution, since the participants can set upa key randomly without any mechanism for key distribution andmanagement.

Group key agreement is a method based on distributed concept andcharacterized in that: 1) more than one member of a group participatesin key generation, 2) the key for the group is decided collectively byparameters provided from each member and the key generation algorithm,3) none of the group members can determine the key in advance.

Several popular methods of group key agreement and distribution havebeen known, including CKD (Centralized Group Key Distribution), BD(Burmester-Desmedt), STR (Steer et al.), GDH (Group Diffie-Hellman) andTGDH (Tree-Based Group Diffie-Hellman).

In 1976, Whit Diffie and Martin Hellman proposed Diffie-Hellman(abbreviated as DH) algorithm, which is a protocol of key exchangebetween two parties and used for secure negotiation of a shared keybetween two peer-to-peer entities. The DH algorithm in nature is aprotocol for key negotiation by both communication parties. The securityof the DH algorithm is based on difficulty with which a discretelogarithm is computed over a limited domain.

The details of the Diffie-Hellman key exchange protocol are given asfollows. First, both parties, Alice and Bob, agree on two large integersn, g, 1<g<n. The two integers are not necessary to be kept secret. Then,the following process is performed:

-   1) Alice chooses a large integer x (kept secret) randomly and    calculates X=gx mod n;-   2) Bob chooses a large integer y (kept secret) randomly and    calculates Y=gy mod n;-   3) Alice sends X to Bob, and Bob sends Y to Alice;-   4) Alice calculates K=Yx mod n;-   5) Bob calculates K=Xy mod n.-   K is exactly the shared key.

A spy person, Oscar, can only spy on and obtain X and Y over thenetwork, but cannot calculate x and y with the obtained X and Y. Thus,Oscar cannot calculate K=gxy mod n.

The communication pipe can be updated or abolished by any one of themobile hardware secure unit and the fixed hardware secure unit. Also,the communication pipe can be updated or abolished together by both ofthe mobile hardware secure unit and the fixed hardware secure unit.

Update of the communication pipe: one of the mobile hardware secure unitand the fixed hardware secure unit sends a new key encrypted with theold encryption key to the other party via the communication pipe; then,communication is made with the new key; thus, the communication pipe isupdated.

Abolishment of the communication pipe: the mobile hardware secure unitor the fixed hardware secure unit deletes the old key directly; thus,the communication pipe is abolished.

Further, the communication pipe can be updated or abolished accordingto, for example, a predetermined time period or a predetermined numberof times by the mobile hardware secure unit or the fixed hardware secureunit. In such case, the communication pipe is updated or abolished whenthe predetermined time period has elapsed or data exchange has performedfor the predetermined number of times.

When a bidirectional communication pipe is been establishing between themobile hardware secure unit and the fixed hardware secure unit, themobile hardware secure unit or the fixed hardware secure unit can set avalid time period of, for example, 1 hour for the bidirectionalcommunication pipe. The bidirectional communication pipe will beabolished as soon as the period of 1 hour has elapses.

When a bidirectional communication pipe is been establishing between themobile hardware secure unit and the fixed hardware secure unit, themobile hardware secure unit or the fixed hardware secure unit can set avalid number of times, for example, 100, for data exchange. Thebidirectional communication pipe will be abolished as soon as dataexchange has occurred for 100 times.

When a bidirectional communication pipe is been establishing between themobile hardware secure unit and the fixed hardware secure unit, themobile hardware secure unit or the fixed hardware secure unit can set anupdate time condition of, for example, 1 hour for the bidirectionalcommunication pipe. The bidirectional communication pipe will be updatedwith predefined content as soon as the period of 1 hour has elapses,i.e., the update time condition has been met.

When a bidirectional communication pipe is been establishing between themobile hardware secure unit and the fixed hardware secure unit, themobile hardware secure unit or the fixed hardware secure unit can setthe update condition as the number of times for data exchange. Forexample, the update condition can be set as 100 times for data exchange.The bidirectional communication pipe will be updated with predefinedcontent as soon as data exchange has occurred for 100 times, i.e., theupdate condition has been met.

Further, the communication pipe can be updated or abolished accordingto, for example, a predetermined time period or a predetermined numberof times set together by both of the mobile hardware secure unit and thefixed hardware secure unit. In such case, the communication pipe isupdated or abolished when the predetermined time period has elapsed ordata exchange has performed for the predetermined number of times.

The update or abolish condition set together by both of the mobilehardware secure unit and the fixed hardware secure unit can be acondition negotiated by both parties, or combination of a condition setby the mobile hardware secure unit and a further condition set by thefixed hardware secure unit. When the two conditions are both satisfied,the update or abolishment can be enabled.

S400, the mobile hardware secure unit and the fixed hardware secure unitare bound with each other through interaction of unique identificationinformation.

Specifically, the interaction of unique identification informationcomprises: the unique identification information of the mobile hardwaresecure unit is sent to the fixed hardware secure unit, which in turnrecognizes and records the unique identification information; meanwhile,the unique identification information of the fixed hardware secure unitis sent to the mobile hardware secure unit, which in turn recognizes andrecords the unique identification information. Such mutual recognitionand recording process is exactly a process of creating a bond betweenthe mobile hardware secure unit and the fixed hardware secure unit.

The interaction of unique identification information can be performedbetween the mobile hardware secure unit and the fixed hardware secureunit after the information undergoes cryptography processing. Thecontent to be interacted can be a result from some cryptographyprocessing, such as operations of hybridization, encryption, extending,HASH and HMAC. Then, the processing result is “exchanged” as basis ofbinding and recognition. Also, the information itself can be “exchanged”directly without any processing.

The interaction of unique Identification information can be performedbetween the mobile hardware secure unit and the fixed hardware secureunit after the information of both parties undergoes cryptographyprocessing.

The mobile hardware secure unit and the fixed hardware secure unit caninteract with each other via their unique identification information,such as certificate, key, ID, password, to achieve a mutual binding.

Every communication is required to be performed over the communicationpipe after it is established, and the communication pipe is encrypted.As a result, the above binding process is actually a process of mutualidentifying and recording. Both of the parties each remember the fixedunique identification information or HASH values of the information ofthe opposite party.

The binding between the mobile hardware secure unit and the fixedhardware secure unit can be queried or deleted.

The mobile hardware secure unit can query about whether there is bindingbetween itself and the fixed hardware secure unit, by inputting theunique identification information or the HASH values of the informationof the fixed hardware secure unit.

Meanwhile, the fixed hardware secure unit can query about whether thereis binding between itself and the mobile hardware secure unit, byinputting the unique identification information or the HASH values ofthe information of the mobile hardware secure unit.

Deletion of the binding between the mobile hardware secure unit and thefixed hardware secure unit is that the mobile hardware secure unit orthe fixed hardware secure unit deletes the unique identificationinformation of the other parties.

The binding between the mobile hardware secure unit and the fixedhardware secure unit can be updated or abolished on certain conditionof, for example, time period and number of times, to ensure security ofthe binding.

A valid time period of, for example, 1 hour, can be set for the bindingbetween the mobile hardware secure unit and the fixed hardware secureunit. The binding will be abolished as soon as the period of 1 hour haselapses.

A valid number of times, for example, 100, for data exchange can be setfor the binding between the mobile hardware secure unit and the fixedhardware secure unit. The binding will be abolished as soon as dataexchange has occurred for 100 times.

An update time condition of, for example, 1 hour can be set for thebinding between the mobile hardware secure unit and the fixed hardwaresecure unit. The binding will be updated with predefined content as soonas the period of 1 hour has elapses, i.e., the update time condition hasbeen met.

The update condition of the binding between the mobile hardware secureunit and the fixed hardware secure unit can be set as the number oftimes for data exchange. For example, the update condition can be set as100 times for data exchange. The binding will be updated with predefinedcontent as soon as data exchange has occurred for 100 times, i.e., theupdate condition has been met.

The mobile and fixed hardware secure units can perform a secondaryencryption on content to be transmitted to a third party.

The mobile and fixed hardware secure units can perform the secondaryencryption on plaintext to be transmitted to a third party.

The mobile and fixed hardware secure units can perform secondary signingon the signature which represents identity information and is to betransmitted to a third party.

In the case of asymmetrical key, the mobile and fixed hardware secureunits can perform second public key encryption on plaintext to betransmitted to a third party. The mobile and fixed hardware secure unitscan perform second private key encryption on the signature whichrepresents identity information and is to be transmitted to a thirdparty.

Important data like electronic certificate must be encrypted anddecrypted twice by the mobile and fixed hardware secure units under thecondition of a binding between the two parties. Alternatively, each ofthe mobile and fixed hardware secure units can encrypt some dataindividually and unrepeated, so as to complete the encryption forsecurity enhancement.

The important data can be set or determined according to applications oras needed by the user.

The encryption and decryption keys for the important data should not bemoved between the two parties in a binding relationship to furtherguarantee data security. On the other hand, these keys can be encryptedand then moved or stored. Keys other than the encryption and decryptionkeys for the important data can be moved and backed-up between themobile and fixed hardware secure units.

A flag bit, such as “No” or “Yes”, can be provided on a key to denotewhether the key can be moved. The flag bit “No” on the key denotesimmovability, and the flag bit “Yes” denotes movability.

The attribute of a key can be set by a creator (user or upper-levelapplication) at the time of creation. If necessary, the attribute can bechanged as needed.

In the cooperation method of the mobile and fixed hardware secure unitsof the above embodiment, a communication pipe is established between themobile and fixed hardware secure units to enable secure filetransmission between the mobile and fixed hardware secure units. Also,the mobile and fixed hardware secure units are bound with each other,and if data is sent to a third party after the binding of the mobile andfixed hardware secure units, the data can be obtained only after boththe mobile and fixed hardware secure units performs decryption. In thisway, the cooperation method of the above embodiment solves the problemin the prior art that the fixed hardware secure unit based on computeror other device cannot be moved easily and some machine must bespecified, causing inconvenience in mobile usage. Further, in thecooperation method, the security solution based on a fixed hardwaresecure unit can be combined with a mobile hardware secure unit securinga user's identity, thereby improving security of data transmission.

FIG. 3 is a flowchart of the second embodiment of the cooperation methodin the present invention.

The cooperation method of mobile and fixed hardware secure units in thesecond embodiment comprises the following steps.

S10, provide a mobile hardware secure unit representing a user'sidentity.

The mobile hardware secure unit is one having an identity authorized bya server.

S20, provide a computer-based or other-device-based fixed hardwaresecure unit representing the identity of the platform.

A platform Identification secure chip is provided within the computer orother device. The platform Identification secure chip is loaded with aplatform certificate and responsible for providing the ID of theplatform to the outside. The platform Identification secure chip can beused as the fixed hardware secure unit.

S30, the mobile and fixed hardware secure units create a bidirectionalcommunication pipe by means of key negotiation or public key exchange.

The mobile and fixed hardware secure units can create the communicationpipe by means of public key exchange.

The mobile and fixed hardware secure units can create the communicationpipe by means of key negotiation.

The communication pipe can be updated or abolished at any time or undersome condition, such as certain time period or number of times, by thetwo parties, to guarantee security for transmission.

Update of the communication pipe: send a new key encrypted with an oldkey to the opposite party over the communication pipe and performcommunication with the new key to update the communication pipe.

Abolishment of the communication pipe: delete the old key directly andthus abolish the communication pipe.

S40, the mobile hardware secure unit and the fixed hardware secure unitare bound with each other through interaction of unique identificationinformation.

Specifically, the interaction of unique identification informationcomprises: the unique identification information of the mobile hardwaresecure unit is sent to the fixed hardware secure unit, which in turnrecognizes and records the unique identification information; meanwhile,the unique identification information of the fixed hardware secure unitis sent to the mobile hardware secure unit, which in turn recognizes andrecords the unique identification information. Such mutual recognitionand recording process is exactly a process of creating a bound betweenthe mobile hardware secure unit and the fixed hardware secure unit.

The interaction of unique identification information can be performedbetween the mobile hardware secure unit and the fixed hardware secureunit after the information undergoes cryptography processing. Thecontent to be interacted can be a result from some cryptographyprocessing, such as operations of hybridization, encryption, extending,HASH and HMAC. Then, the processing result is “exchanged” as basis ofbinding and recognition. Also, the information itself can be “exchanged”directly without any processing.

The interaction of unique Identification information can be performedbetween the mobile hardware secure unit and the fixed hardware secureunit after the information of both parties undergoes cryptographyprocessing.

The mobile hardware secure unit and the fixed hardware secure unit caninteract with each other via their unique identification information,such as certificate, key, ID, password, to achieve a mutual binding.

Every communication is required to be performed over the communicationpipe after it is established, and the communication pipe is encrypted.As a result, the above binding process is actually a process of mutualidentifying and recording. Both of the parties each remember the fixedunique identification information or HASH values of the information ofthe opposite party.

The binding between the mobile hardware secure unit and the fixedhardware secure unit can be created, queried or deleted, or can beupdated or abolished under some condition, such as certain time periodor number of times, to guarantee security for the binding.

S50, after establishing the binding relationship, the mobile and fixedhardware secure units each register to the server, which confirms thebinding relationship between the mobile and fixed hardware secure units.

The mobile and fixed hardware secure units can register to the servervia the following two approaches.

The First Approach

First, the mobile hardware secure unit packs information to beregistered with the server and transmits it to the fixed hardware secureunit.

The information can be securely transmitted from the mobile hardwaresecure unit to the fixed hardware secure unit, since there is bindingbetween the mobile and fixed hardware secure units.

Then, the fixed hardware secure unit packs its own registrationinformation together with the packed registration information of themobile hardware secure unit, and transmits the packed information to theserver.

The registration data packet received by the server contains theregistration information of both the mobile and fixed hardware secureunits. So, the server can confirm that there is secure bindingrelationship between the mobile and fixed hardware secure units.

The Second Approach

First, the mobile hardware secure unit packs information to beregistered with the server and transmits it to the server.

The registration data packet received by the server from the mobilehardware secure unit contains the unique identification information ofthe mobile hardware secure unit.

Then, the fixed hardware secure unit packs its own registrationinformation and the unique identification information of the mobilehardware secure unit together and transmits the packed information tothe server.

The fixed hardware secure unit packs its own registration informationand the unique identification information, such as ID, certificate orpassword, of the mobile hardware secure unit together and transmits thepacked information to the server.

The registration data packet received by the server from the fixedhardware secure unit contains the registration information of the fixedhardware secure unit and the unique identification information of themobile hardware secure unit. The server can compare the uniqueidentification information with that contained in the registration datapacket received by the server from the mobile hardware secure unit. Ifthe two piece of information are consistent, the server can confirm thatthere is secure binding relationship between the mobile and fixedhardware secure units.

The mobile and fixed hardware secure units can submit their identityinformation or keys to the server at the same time as registration.

The identity information can be any information that enables the serverto accurately identify the hardware secure units. For example, theidentity information can be simply a public key used for signatureverification or binding identification information or collection ofthese pieces of information.

When the user needs to present its identity to the server, the mobileand fixed hardware secure units are required to sign together under thebinding relationship and present the identities of the platform and theuser at the same time. Any of the two presentations is indispensible;otherwise, the server will reject any service.

While sending a service request to the server under the bindingrelationship, the mobile and fixed hardware secure units need to signtogether under the binding relationship so as to present the identitiesof the platform and the user at the same time.

When the user submits to the server his or her data such as “transfer XXdollars to XX account”, the information must be signed with theelectronic certificate of the mobile hardware secure unit like USB Key.Also, the fixed hardware secure unit, such as TPM (Trusted PlatformModule) on a computer, is needed for electronic certificateauthentication or signature. After the signing of both of the mobile andfixed hardware secure units, the data is then transmitted to the server.

The mobile and fixed hardware secure units can perform a secondaryencryption on content to be transmitted to the server.

The mobile and fixed hardware secure units can perform the secondaryencryption on plaintext to be transmitted to the server.

The mobile and fixed hardware secure units can perform secondary signingon the signature which represents identity information and is to betransmitted to the server.

In the case of asymmetrical key, the mobile and fixed hardware secureunits can perform second public key encryption on plaintext to betransmitted to the server. The mobile and fixed hardware secure unitscan perform second private key encryption on the signature whichrepresents identity information and is to be transmitted to the server.

Important data like electronic certificate must be encrypted anddecrypted twice by the mobile and fixed hardware secure units under thecondition of a binding between the two parties. Alternatively, each ofthe mobile and fixed hardware secure units can encrypt some dataindividually and unrepeated, so as to complete the encryption forsecurity enhancement.

The important data can be set or determined according to applications oras needed by the user.

The encryption and decryption keys for the important data should not bemoved between the two parties in a binding relationship to furtherguarantee data security. On the other hand, these keys can be encryptedand then moved or stored. Keys other than the encryption and decryptionkeys for the important data can be moved and backupped between themobile and fixed hardware secure units.

A flag bit, such as “No” or “Yes”, can be provided on a key to denotewhether the key can be moved. The flag bit “No” on the key denotesimmovability, and the flag bit “Yes” denotes movability.

The attribute of a key can be set by a creator (user or upper-levelapplication) at the time of creation. If necessary, the attribute can bechanged as needed.

In the cooperation method of the mobile and fixed hardware secure unitsof the above embodiment, a communication pipe is established between themobile and fixed hardware secure units to enable secure filetransmission between the mobile and fixed hardware secure units. Also,the mobile and fixed hardware secure units are bound with each other.After the creation of such binding relationship, the mobile and fixedhardware secure units 11, 12 each register to the server and submittheir identity information or key, respectively. and if data is sent tothe server after the binding of the mobile and fixed hardware secureunits, the data can be obtained only after both the mobile and fixedhardware secure units performs decryption, thereby improving security ofdata transmission.

The present invention provides a cooperation system of mobile and fixedhardware secure units, in which the security solution based on a fixedhardware secure unit can be combined with a mobile hardware secure unitsecuring a user's identity.

FIG. 4 is a flowchart of the first embodiment of the cooperation systemin the present invention.

The first embodiment of the cooperation system in the present inventioncomprises a mobile hardware secure unit 11, a fixed hardware secure unit12, a communication pipe establishment unit 13 and a binding unit 14.

The mobile hardware secure unit 11 is used for representing a user'sidentity.

The mobile hardware secure unit 11 can be one having an identityauthorized by a server, such as a hardware secure chip inside USB Key orsmart card.

The fixed hardware secure unit 12 is a computer-based orother-device-based fixed hardware secure unit representing the identityof the platform.

The fixed hardware secure unit 12 can be a platform Identificationsecure chip provided inside the computer or other device. The platformIdentification secure chip is loaded with a platform certificate andresponsible for providing the ID of the platform to the outside.

The communication pipe establishment unit 13 establishes a communicationpipe between the mobile and fixed hardware secure units by means of keynegotiation or public key exchange.

The communication pipe establishment unit 13 can establish a securecommunication pipe between the mobile and fixed hardware secure units bymeans of public key exchange.

The communication pipe establishment unit 13 can establish a securecommunication pipe between the mobile and fixed hardware secure units bymeans of key negotiation.

The communication pipe can be updated or abolished at any time or undersome condition, such as certain time period or number of times, by thetwo parties, to guarantee security for transmission.

Update of the communication pipe: the communication pipe establishmentunit 13 sends a new key encrypted with an old key to the opposite partyover the communication pipe and then perform communication with the newkey to update the communication pipe.

Abolishment of the communication pipe: the communication pipeestablishment unit 13 deletes the old key directly and thus abolish thecommunication pipe.

The binding unit 14 is used to binding the mobile hardware secure unitand the fixed hardware secure unit through interaction of uniqueidentification information between the two parties.

Specifically, the interaction of unique identification informationcomprises: the binding unit 14 controls the unique identificationinformation of the mobile hardware secure unit 11 to be sent to thefixed hardware secure unit 12, which in turn recognizes and records theunique identification information; meanwhile, the binding unit 14controls the unique identification information of the fixed hardwaresecure unit 12 to be sent to the mobile hardware secure unit 11, whichin turn recognizes and records the unique identification information.

The binding unit 14 can control the interaction of unique identificationinformation to be performed between the mobile hardware secure unit 11and the fixed hardware secure unit 12 after the information undergoescryptography processing. The content to be interacted can be a resultfrom some cryptography processing, such as operations of hybridization,encryption, extending, HASH and HMAC. Then, the processing result is“exchanged” as basis of binding and recognition. Also, the informationitself can be “exchanged” directly without any processing.

The binding unit 14 can control the interaction of unique Identificationinformation to be performed between the mobile hardware secure unit 11and the fixed hardware secure unit 12 after the information of bothparties undergoes cryptography processing.

The mobile hardware secure unit 11 and the fixed hardware secure unit 12can interact with each other via their unique identificationinformation, such as certificate, key, ID, password, to achieve a mutualbinding.

Every communication is required to be performed over the communicationpipe after it is established, and the communication pipe is encrypted.As a result, the above binding process is actually a process of mutualidentifying and recording. Both of the parties each remember the fixedunique identification information or HASH values of the information ofthe opposite party.

The binding between the mobile hardware secure unit 11 and the fixedhardware secure unit 12 can be created, queried or deleted, or can beupdated or abolished under some condition, such as certain time periodor number of times, to guarantee security for the binding.

In the cooperation system of the mobile and fixed hardware secure unitsof the above embodiment, a communication pipe is established by thecommunication pipe establishment unit 13 between the mobile and fixedhardware secure units 11, 12 to enable secure file transmission betweenthe mobile and fixed hardware secure units. Also, the mobile and fixedhardware secure units 11, 12 are bound with each other by the bindingunit 14, and if data is sent to a third party after the binding of themobile and fixed hardware secure units 11, 12, the data can be obtainedonly after both the mobile and fixed hardware secure units 11, 12performs decryption. In this way, the cooperation system of the aboveembodiment solves the problem in the prior art that the fixed hardwaresecure unit based on computer or other device cannot be moved easily andsome machine must be specified, causing inconvenience in mobile usage.Further, in the cooperation method, the security solution based on afixed hardware secure unit 12 can be combined with a mobile hardwaresecure unit 11 securing a user's identity, thereby improving security ofdata transmission.

FIG. 5 is a flowchart of the second embodiment of the cooperation systemin the present invention.

Compared with the above first embodiment, the second embodiment of thecooperation system is additionally provided with a server 15.

The second embodiment of the cooperation system in the present inventioncomprises a server 15, a mobile hardware secure unit 11, a fixedhardware secure unit 12, a communication pipe establishment unit 13 anda binding unit 14.

The mobile hardware secure unit 11 is used for representing a user'sidentity.

The fixed hardware secure unit 12 is a computer-based orother-device-based fixed hardware secure unit representing the identityof the platform.

The communication pipe establishment unit 13 establishes a communicationpipe between the mobile and fixed hardware secure units 11, 12 by meansof key negotiation or public key exchange.

The binding unit 14 binds the mobile hardware secure unit 11 and thefixed hardware secure unit 12 together through interaction of uniqueidentification information of the two parties.

The server 15 is in communication with each of the mobile and the fixedhardware secure units 11, 12 and the binding unit 14. After establishingthe binding relationship between the mobile and fixed hardware secureunits 11, 12, the server 15 provides registration for the mobile andfixed hardware secure units 11, 12.

After the binding unit 14 binds the mobile hardware secure unit 11 andthe fixed hardware secure unit 12 together, the mobile and fixedhardware secure units 11, 12 submit their relevant information or keysto the server 15 at the same time.

The relevant information can be any information that enables the server15 to accurately identify the hardware secure units. For example, theidentity information can be simply a public key used for signatureverification or binding identification information or collection ofthese pieces of information.

When the user needs to present its identity to the server 15, the mobileand fixed hardware secure units 11, 12 are required to sign togetherunder the binding relationship and present the identities of theplatform and the user at the same time. Any of the two presentations isindispensible; otherwise, the server 15 will reject any service.

While sending a service request to the server 15 under the bindingrelationship, the mobile and fixed hardware secure units 11, 12 need tosign together under the binding relationship so as to present theidentities of the platform and the user at the same time.

When the user submits to the server 15 his or her data such as “transferXX dollars to XX account”, the information must be signed with theelectronic certificate of the mobile hardware secure unit 11 like USBKey. Also, the fixed hardware secure unit 12, such as TPM (TrustedPlatform Module) on a computer, is needed for electronic certificateauthentication or signature. After the signing of both of the mobile andfixed hardware secure units 11, 12, the data is then transmitted to theserver 15.

The mobile and fixed hardware secure units 11, 12 can perform asecondary encryption on content to be transmitted to the server 15.

The mobile and fixed hardware secure units 11, 12 can perform thesecondary encryption on plaintext to be transmitted to the server 15.

The mobile and fixed hardware secure units 11, 12 can perform secondarysigning on the signature which represents identity information and is tobe transmitted to the server 15.

In the case of asymmetrical key, the mobile and fixed hardware secureunits 11, 12 can perform second public key encryption on plaintext to betransmitted to the server 15. The mobile and fixed hardware secure units11, 12 can perform second private key encryption on the signature whichrepresents identity information and is to be transmitted to the server15.

Important data like electronic certificate must be encrypted anddecrypted twice by the mobile and fixed hardware secure units 11, 12under the condition of a binding between the two parties. Alternatively,each of the mobile and fixed hardware secure units 11, 12 can encryptsome data individually and unrepeated, so as to complete the encryptionfor security enhancement.

The important data can be set or determined according to applications oras needed by the user.

The encryption and decryption keys for the important data should not bemoved between the two parties 11, 12 in a binding relationship tofurther guarantee data security. On the other hand, these keys can beencrypted and then moved or stored. Keys other than the encryption anddecryption keys for the important data can be moved and backed-upbetween the mobile and fixed hardware secure units 11, 12.

A flag bit, such as “No” or “Yes”, can be provided on a key to denotewhether the key can be moved. The flag bit “No” on the key denotesimmovability, and the flag bit “Yes” denotes movability.

The attribute of a key can be set by a creator (user or upper-levelapplication) at the time of creation. If necessary, the attribute can bechanged as needed.

In the cooperation system of the mobile and fixed hardware secure unitsof the above embodiment, a communication pipe is established by thecommunication pipe establishment unit 13 between the mobile and fixedhardware secure units 11, 12 to enable secure file transmission betweenthe mobile and fixed hardware secure units 11, 12. Also, the mobile andfixed hardware secure units 11, 12 are bound with each other by thebinding unit 14. After the creation of such binding relationship, themobile and fixed hardware secure units 11, 12 each register to theserver 15 and submit their identity information or key, respectively.and if data is sent to the server 15 after the binding of the mobile andfixed hardware secure units, the data can be obtained only after boththe mobile and fixed hardware secure units 11, 12 performs decryption,thereby improving security of data transmission.

The present invention provides a computer device, of which the securitysolution based on a fixed hardware secure unit can be combined with amobile hardware secure unit securing a user's identity.

The computer device of the present invention comprises a fixed hardwaresecure unit firmed inside the computer. The fixed hardware secure unitis loaded with a plat certificate and used to represent the platform'sidentity.

A bi-directional communication pipe is established between the fixedhardware secure unit and a mobile hardware secure unit representing auser's identity. The mobile hardware secure unit and the fixed hardwaresecure unit are bound with each other through interaction of uniqueidentification information.

The mobile and fixed hardware secure units can establish thebi-directional communication pipe by means of key negotiation or publickey exchange. For details of the establishment process, please refer tothe above description.

The bi-directional communication pipe can be updated or abolished by anyone of the mobile and fixed hardware secure units or by the two unitstogether.

The bi-directional communication pipe can be updated or abolished by themobile and/or fixed hardware secure units under some predeterminedcondition.

Specifically, the interaction of unique identification informationcomprises: the unique identification information of the mobile hardwaresecure unit is sent to the fixed hardware secure unit, which in turnrecognizes and records the unique identification information; meanwhile,the unique identification information of the fixed hardware secure unitis sent to the mobile hardware secure unit, which in turn recognizes andrecords the unique identification information.

The interaction of unique identification information can be performedbetween the mobile hardware secure unit and the fixed hardware secureunit after the information undergoes cryptography processing.

In the computer system of the present invention, a communication pipe isestablished between the fixed hardware secure unit firmed inside thecomputer device and the mobile hardware secure unit representing theuser's identity to enable secure file transmission between the mobileand fixed hardware secure units. Also, the mobile and fixed hardwaresecure units are bound with each other, and if data is sent to a thirdparty after the binding of the mobile and fixed hardware secure units,the data can be obtained only after both the mobile and fixed hardwaresecure units performs decryption. In this way, the cooperation method ofthe above embodiment solves the problem in the prior art that the fixedhardware secure unit based on computer or other device cannot be movedeasily and some machine must be specified, causing inconvenience inmobile usage. Further, in the computer system of the present invention,the security solution based on the fixed hardware secure unit can becombined with the mobile hardware secure unit securing a user'sidentity, thereby improving security of data transmission.

The foregoing description is only the preferred embodiments of thepresent invention and not intended to limit the present invention. Thoseordinarily skilled in the art will appreciate that any modification orsubstitution in the principle of the present invention shall fall intothe scope of the present invention defined by the appended claims.

What is claimed is:
 1. A cooperation method of a mobile hardware secureunit and a fixed hardware secure unit, comprising: providing user'sidentification information by the mobile hardware secure unit; providingplatform's identification information by the fixed hardware secure unit;establishing a bidirectional communication pipe between the mobile andfixed hardware secure units by means of key negotiation or public keyexchange; and binding the mobile and fixed hardware secure units throughinteraction of the user's identification information and the platform'sidentification information over the established bidirectionalcommunication pipe, wherein the interaction comprises sending the user'sidentification information provided by the mobile hardware secure unitto the fixed hardware secure unit which in turn recognizes and recordsthe user's identification information, and sending the platform'sidentification information provided by the fixed hardware secure unit tothe mobile hardware secure unit which in turn recognizes and records theplatform's identification information; and registering by each of themobile and fixed hardware secure units to a server, which confirms thebinding relationship between the mobile and fixed hardware secure units;wherein the interaction is performed after the user's identificationinformation provided by the mobile hardware secure unit and/or theplatform's identification information provided by the fixed hardwaresecure unit undergoes cryptography processing, and wherein while sendinga service request to the server, the mobile and fixed hardware secureunits each sign under the binding relationship to present the platform'sidentification information and the user's identification information atthe same time.
 2. The cooperation method of claim 1, wherein thebi-directional communication pipe is updated or abolished by the mobileand/or fixed hardware secure units.
 3. The cooperation method of claim1, wherein the registration of the mobile and fixed hardware secureunits to the server comprises: the mobile hardware secure unit packinginformation to be registered with the server and transmitting it to thefixed hardware secure unit; the fixed hardware secure unit packing itsown registration information together with the packed registrationinformation of the mobile hardware secure unit, and transmitting thepacked information to the server.
 4. The cooperation method of claim 1,wherein the registration of the mobile and fixed hardware secure unitsto the server comprises: the mobile hardware secure unit packinginformation to be registered with the server and transmitting it to theserver; the fixed hardware secure unit packing its own registrationinformation and the user's identification information of the mobilehardware secure unit together and transmitting the packed information tothe server.
 5. A cooperation system of a mobile hardware secure unit anda fixed hardware secure unit, comprising a mobile hardware secure unit,a fixed hardware secure unit, a communication pipe establishment unitand a binding unit and a processing unit, wherein the mobile hardwaresecure unit is configured to provide a user's identity; the fixedhardware secure unit is configured to provide a platform's identity; thecommunication pipe establishment unit is configured to establish abidirectional communication pipe between the mobile and fixed hardwaresecure units by means of key negotiation or public key exchange; theprocessing unit is configured to perform cryptography processing on theuser's identity provided by the mobile hardware secure unit and/or theplatform's identity provided by the fixed hardware secure unit and thebinding unit is configured to bind the mobile and fixed hardware secureunits together through interaction of the user's identity and theplatform's identity over the established bidirectional communicationpipe, wherein the interaction comprises sending the user's identityprovided by the mobile hardware secure unit to the fixed hardware secureunit which in turn recognizes and records the user's identity, andsending the platform's identity provided by the fixed hardware secureunit to the mobile hardware secure unit which in turn recognizes andrecords the platform's identity; wherein each of the mobile and fixedhardware secure units registers with a server, which confirms thebinding relationship between the mobile and fixed hardware secure units,and wherein while sending a service request to the server, the mobileand fixed hardware secure units each sign under the binding relationshipto present the platform's identity and the user's identity at the sametime.
 6. The cooperation system of claim 5, further comprising acondition setting unit and/or an update unit and/or an abolishment unit,wherein the condition setting unit is configured to set a condition forupdating or abolishing the bidirectional communication pipe; the updateunit is configured to update the bidirectional communication pipe orupdating the bidirectional communication pipe according to the conditionset by the condition setting unit; and the abolishment unit isconfigured to abolish the bidirectional communication pipe or abolishingthe bidirectional communication pipe according to the condition set bythe condition setting unit.
 7. A computer device comprising a fixedhardware secure unit and a processing unit, the fixed hardware secureunit is loaded with a platform certificate for providing a platform'sidentity, wherein: a bidirectional communication pipe is establishedbetween the fixed hardware secure unit and a mobile hardware secure unitto provide a user's identity by means of key negotiation or public keyexchange; the processing unit is configured to perform cryptographyprocessing on the user's identity provided by the mobile hardware secureunit and/or the platform's identity provided by the fixed hardwaresecure unit; and the mobile and fixed hardware secure units are boundtogether through interaction of the user's identity and the platform'sidentity over the established bidirectional communication pipe, whereinthe interaction comprises sending the user's identity provided by themobile hardware secure unit to the fixed hardware secure unit which inturn recognizes and records the user's identity, and sending theplatform's identity provided by the fixed hardware secure unit to themobile hardware secure unit which in turn recognizes and records theplatform's identity wherein each of the mobile and fixed hardware secureunits registers with a server, which confirms the binding relationshipbetween the mobile and fixed hardware secure units, and wherein whilesending a service request to the server, the mobile and fixed hardwaresecure units each sign under the binding relationship to present theplatform's identity and the user's identity at the same time.
 8. Thecomputer device of claim 7, further comprising a condition setting unitand/or an update unit and/or an abolishment unit, wherein the conditionsetting unit is configured to set a condition for updating or abolishingthe bidirectional communication pipe; the update unit is configured toupdate the bidirectional communication pipe or updating thebidirectional communication pipe according to the condition set by thecondition setting unit; and the abolishment unit is configured toabolish the bidirectional communication pipe or abolishing thebidirectional communication pipe according to the condition set by thecondition setting unit.